Brazilian crypto holders are being warned about a sophisticated hacking campaign that spreads through WhatsApp using a combination of a hijacking worm and a banking trojan.
A new report from Trustwave’s SpiderLabs reveals that the trojan—known as “Eternidade Stealer”—is distributed through social-engineering tactics on WhatsApp, including fake government program alerts, bogus delivery updates, messages posing as friends, and fraudulent investment group invites.
“WhatsApp continues to be one of the most exploited communication channels in Brazil’s cybercrime ecosystem. Over the past two years, threat actors have refined their tactics, using the platform’s immense popularity to distribute banker trojans and information-stealing malware,” said SpiderLabs researchers Nathaniel Morales, John Basmayor, and Nikita Kazymirskyi.
In simple terms, clicking the malicious link triggers a chain reaction that installs both the worm and the banking trojan on the victim’s device.
The worm takes over the user’s WhatsApp account, harvests their contact list, and uses “smart filtering” to skip business contacts and groups—focusing instead on individual targets to maximize spread.
At the same time, the banking trojan silently downloads a file that deploys Eternidade Stealer in the background. This malware can scan the device for financial data and login credentials tied to numerous Brazilian banks, fintech platforms, crypto exchanges, and digital wallets.
The malware also employs a clever method to avoid detection and shutdown. Instead of relying on a fixed command-and-control (C2) server, it uses a preset Gmail account to receive new instructions. Hackers can update these commands simply by sending new emails.
“One notable feature of this malware is that it uses hardcoded credentials to log into its email account, from which it retrieves its C2 server. It is a very clever way to update its C2, maintain persistence, and evade detections or takedowns on a network level. If the malware cannot connect to the email account, it uses a hardcoded fallback C2 address,” the report notes.
Brazil remains a prime target. According to data from Chainalysis, it is the top country for crypto adoption in Latin America and ranks fifth in the firm’s 2025 Global Crypto Adoption Index. The index measures countries’ engagement with various crypto services and considers factors such as population size and purchasing power.
How to stay safe
Users of apps like WhatsApp should treat any unsolicited link with caution—even if it appears to come from a trusted contact. When in doubt, reach out to the sender through a different app to verify the message, and be wary of links shared without context.
Keeping apps and operating systems updated can help patch vulnerabilities often targeted by malware, while reputable antivirus tools may flag suspicious activity.
If a device is compromised, it’s critical to immediately freeze access to all banking and crypto accounts to limit further losses. Tracking stolen funds may also help exchanges, investigators, or authorities identify the destination wallets—potentially enabling them to freeze the attackers’ assets.
